Identity verification method and apparatus

ABSTRACT

A system detects that a target service program is being executed by a computing device. The target service program is one of a plurality of pre-defined service programs to be suspended to complete an identity verification of a user using the target service program. Execution of the target service program is suspended on the computing device. An identity verification program is executed on the computing device. The identity verification program is configured to perform the identity verification of the user to obtain an identity verification result indicating whether an identity of the user is verified. The identity verification program is independent from the target service program.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of and claims the benefit of priorityof U.S. patent application Ser. No. 16/200,318, filed on Nov. 26, 2018,which is a continuation of PCT Application No. PCT/CN2017/080855, filedon Apr. 18, 2017, which claims priority to Chinese Patent ApplicationNo. 201610365906.2, filed on May 27, 2016, and each application ishereby incorporated by reference in its entirety.

TECHNICAL FIELD

The present invention relates to information technologies, and inparticular, to an identity verification method and apparatus.

BACKGROUND

Identity verification is usually used to verify a user's identity whenthe user opens client software or enters the client software to performa specific service operation, so as to improve service security. Inexisting technologies, identity verifications such as entering passcodeby gesture are implemented by identity verification logic code embeddedin service logic code included in client software that performs theidentity verification.

However, because the coupling degree between identity verification logiccode and service logic code is relatively high, if identity verificationneeds to be performed in different service scenarios, same identityverification logic code needs to be embedded in all service logic code.Therefore, it is inconvenient to perform operations of maintainingidentity verification logic.

SUMMARY

The present invention provides an identity verification method andapparatus, to resolve a technical problem in the existing technologythat it is inconvenient to perform operations of maintaining identityverification logic.

To achieve the previous objective, the following technical solutions areused in the implementations of the present invention.

A first aspect provides an identity verification method, including:suspending a target service program when it is detected that the targetservice program is running; and calling an identity verification programto perform identity verification, so as to obtain an identityverification result, where the identity verification program and thetarget service program are independent of each other.

A second aspect provides an identity verification apparatus, including:a suspension module, configured to suspend a target service program whenit is detected that the target service program is running; and averification module, configured to call an identity verification programto perform identity verification, so as to obtain an identityverification result, where the identity verification program and thetarget service program are independent of each other.

In the identity verification method and apparatus provided in theimplementations of the present invention, when it is detected that thetarget service program is running, the on-going target service programis suspended, and the identity verification program is performed. Inaddition, the service program and the identity verification program areindependent of each other, that is, the coupling degree between theservice program and the identity verification program is relatively low.When identity verification needs to be performed on service programs indifferent service scenarios, one identity verification program can beused to complete an identity verification process through detection onthe plurality of service programs, thereby resolving a technical problemof inconvenient maintenance of the identity verification program.

The previous descriptions are merely an overview of the technicalsolutions of the present invention. For better understanding of thetechnical means of the present invention, the previous descriptions canbe implemented based on content of the specification; and to make theprevious and other objectives, features, and advantages of the presentinvention more comprehensible, implementations of the present inventionare described as follows.

BRIEF DESCRIPTION OF DRAWINGS

It becomes clear for persons skilled in the art to learn various otheradvantages and benefits by reading detailed description of the followingpreferred implementations. Accompanying drawings are merely used forshowing the preferred implementations, but not considered as alimitation on the present invention. In all accompanying drawings, asame reference symbol is used to indicate a same part. In theaccompanying drawings:

FIG. 1 is a schematic flowchart illustrating an identity verificationmethod, according to Implementation 1 of the present invention;

FIG. 2 is a schematic diagram illustrating a control program;

FIG. 3 is a first schematic diagram illustrating an identityverification method in the existing technology;

FIG. 4 is a second schematic diagram illustrating an identityverification method in the existing technology;

FIG. 5 is a schematic flowchart illustrating an identity verificationmethod, according to Implementation 2 of the present invention;

FIG. 6 is a schematic structural diagram illustrating an identityverification apparatus, according to Implementation 3 of the presentinvention;

FIG. 7 is a schematic structural diagram illustrating another identityverification apparatus, according to Implementation 4 of the presentinvention; and

FIG. 8 is a flowchart illustrating an example of a computer-implementedmethod for executing an identity verification program during completionof an identity verification of a user using a target service program,according to an implementation of the present disclosure.

DESCRIPTION OF IMPLEMENTATIONS

Implementations of the present disclosure that are used as examples aredescribed in more detail with reference to the accompanying drawings.Although the accompanying drawings show the implementations of thepresent disclosure that are used as examples, it should be understoodthat the present disclosure can be implemented in various forms, andshall not be limited by the implementations described here. On thecontrary, these implementations are provided for clearer understandingof the present disclosure, and to completely convey the scope of thepresent disclosure to the person skilled in the art.

An identity verification method and apparatus provided in theimplementations of the present invention are described in detail withreference to the accompanying drawings.

Implementation 1

FIG. 1 is a schematic flowchart illustrating an identity verificationmethod, according to Implementation 1 of the present invention. Aterminal device such as a mobile phone usually has one or more services,and implementation of each service depends on at least one serviceprogram. For ease of description, in the following implementations, aservice program of a service currently operated by a user is referred toas a target service program.

It should be noted that each service program mentioned here can be anindependent application, or can be an application formed by variousservice programs, and is not limited in this implementation.

The method provided in this implementation can be performed by a controlprogram different from the target service program discussed in thefollowing description. The control program runs on said terminal device.The program for performing this method is used for identity verificationof a user when the user starts to operate on a target service but hasnot yet obtained service-related information, thereby ensuringinformation security of the service-related information.

As shown in FIG. 1, the identity verification method includes thefollowing steps.

Step 101: Suspend the target service program when it is detected thatthe target service program is running.

Specifically, a target function used to display a service interface, forexample, a startAPP method function, indicates that the service programis running a target process used for processing the service interface.Therefore, all service programs that are running the target process canbe determined by detecting a service program that calls the targetfunction. When a service program is running the target process, itindicates that a target program starts to run. In implementation, theprogram for performing the method in this implementation canspecifically detect a call interface of the target function, to learn ofa service program that calls the target function.

In a possible implementation, identity verification can be performed ona service with a relatively high security requirement, instead ofperforming identity verification on all services. Therefore, a targetprocess on which identity verification needs to be performed can bedetermined in advance from all the services. After a service programthat runs the target process is detected, it needs to be furtherdetermined whether the detected service program is a target process onwhich identity verification needs to be performed. Only when the serviceprogram is the target service program, the on-going service program issuspended.

When it is detected that the target service program runs the targetprocess, the target service program is suspended, to suspend theon-going target service program. Because the on-going target service issuspended when it is detected that the target service program starts torun the target process for displaying the service interface, a runningresult of the target process, that is, display-related information ofthe service interface, has not been generated yet. Therefore, theservice interface is not displayed on a terminal device of the user.

Step 102: Call an identity verification program to perform identityverification, so as to obtain an identity verification result.

The identity verification program and the target service program areindependent of each other. Independence described here means that thereis no interface such as a call interface between the two programs.

Specifically, after the on-going target service program is suspended,the identity verification program is performed, so as to obtain theidentity verification result.

In a possible implementation, the control program for performing themethod provided in this implementation cannot implement an identityverification function. Therefore, after suspending the on-going targetservice program, the control program for performing the method providedin this implementation calls the identity verification program that canimplement the identity verification function, and the identityverification program returns the identity verification result. FIG. 2 isa schematic diagram illustrating a control program. As shown in FIG. 2,when detecting that the target service program is running, the controlprogram for performing this method suspends the target service program,and the control program performs identity verification on the user bycalling the identity verification program, to ensure informationsecurity of service-related information.

It can be seen that, in this implementation, separation between theidentity verification program and the service program is implemented,and the identity verification program and the service program areindependent of each other. Compared with a method shown in FIG. 3 thatidentity verification logic is embedded into a service program, in themethod provided in this implementation, the coupling degree between theidentity verification program and the service program is reduced. InFIG. 3, in a programming phase of the service program, it needs todetermine whether identity verification needs to be performed on theservice program, interface processing logic, identity verificationlogic, and service processing logic that are needed by the serviceprogram are integrated into the service program, and the identityverification logic needs to be repeatedly written into different serviceprograms when identity verification needs to be performed on serviceprograms in different service scenarios. However, in the method providedin this implementation, when it is detected that the target serviceprogram is running, an on-going target service program is suspended, andthe identity verification program is performed. In addition, the serviceprogram and the identity verification program are independent of eachother. When identity verification needs to be performed on serviceprograms in different service scenarios, one identity verificationprogram can be used to complete an identity verification process throughdetection on the plurality of service programs, thereby resolving atechnical problem of inconvenient maintenance of the identityverification program.

In addition, an interface between the identity verification program andthe service program is eliminated in comparison with the program callingmethod shown in FIG. 4. As shown in FIG. 4, a service program calls anidentity verification program by using a call interface between theservice program and the identity verification program. Compared withsaid method, in the method provided in the present implementation,because the interface between the identity verification program and theservice program is eliminated, a process of determining, in theprogramming phase, whether identity verification needs to be performedon the service program, and reserving a call interface for calling theidentity verification program is not needed. As such, the identityverification program and the service program are truly independent.

Based on the identity verification method disclosed in the presentimplementation, a person skilled in the art can implement identityverification of the user by using various identity verification forms.For example, identity verification can be performed by using at leastone of gesture, fingerprint, and character password. The identityverification form is not limited in this implementation.

Further, before identity verification is performed, characteristicinformation of the target process in the target service program can beidentified based on a calling request used by the target service programto call the target function. The calling request includes an identifierof the target service program, an identifier of the service interfaceprocessed by the target process, and/or a network address included inthe service interface processed by the target process.

Match a policy in a policy set based on the characteristic information.If a matched policy exists in the policy set, identity verification isperformed.

Further, after identity verification is performed, if the identityverification result is that the identity verification is successful, thetarget service program resumes to run.

Specifically, whether to resume the target service program is determinedbased on the identity verification result. If the identity verificationresult is that the identity verification is successful, the targetservice program resumes. If the identity verification result is that theidentity verification fails, the service program is quit.

This is because if identity verification fails, it indicates that anidentity of a user who currently operates the service program isinsecure, and needs to be further verified. Therefore, to protect userdata, all service programs that are currently being operated by the userare forced to quit to avoid data leakage.

Implementation 2

FIG. 5 is a schematic flowchart illustrating an identity verificationmethod, according to Implementation 2 of the present invention. In thisimplementation, an ALIPAY application is used as an example to describein detail the identity verification method. The ALIPAY applicationincludes different services, for example, Pay, YU'E Bao, KOUBEI, RedEnvelope, and ANT FORTUNE. Because a payment service relates tofinancial security of a user, identity verification needs to beperformed on a user during an operation of a payment service. Here, aprogram used for implementing a payment service is referred to as atarget service program, and a process used for processing a paymentservice interface is referred to as a target process. The methodincludes the following steps.

Step 201: After detecting that a user taps an icon, a terminal deviceruns a target service program corresponding to the icon.

When it is detected that the user taps an icon of a payment service inan ALIPAY interface, it is determined that the user needs to enable thepayment service and perform an operation on the payment service.

Step 202: A target process in the target service program calls astartAPP method function.

The startAPP method function is used to process a service interface ofeach service. Therefore, before the service interface of each service isdisplayed, the startAPP method function needs to be called. The servicesthat perform the step of displaying the service interface are determinedbased on the calling status the startAPP method function by theprogram,.

For example, in the ALIPAY application, after each service program isstarted, the startAPP method function needs to be called before aservice interface is displayed. Therefore, the startAPP method functioncan be detected, to determine a service program that is running but isnot displayed on a service interface.

Step 203: A gesture verification program detects, in real time, aservice program and a process that call the startAPP method function.When detecting that the target process in the target service programcalls the startAPP method function, the gesture verification programintercepts the on-going startAPP method function by using aninterception technology.

Before displaying a service interface, the service program needs towrite content that needs to be displayed in the service interface into arequest for calling the startAPP method function, so as to provide thecontent that needs to be displayed and related information of theservice program for the startAPP method function. As such, the startAPPmethod function processes the service interface based on the contentthat needs to be displayed, and returns a processing result to theservice program, and the service program performs the step ofdisplaying.

Therefore, after detecting the service program and the process that callthe startAPP method function, the gesture verification program canobtain the related information of the service program from the requestfor calling the startAPP method function, that is, an identifier of theservice program and an identifier of the service interface processed bythe process, and identify whether a network address is included in thecontent that needs to be displayed in the service interface. If thenetwork address is included, the network address included in the serviceinterface can be further obtained.

Step 204: The gesture verification program matches the target process inthe target service program with a policy in a policy set, to determinewhether identity verification needs to be performed; and if there is nomatched policy, step 205 is performed; or if there is a matched policy,step 206 is performed.

The policy set includes different policies, where each policy records anidentifier of a service program, and can further include an identifierof a service interface processed by a process and/or a network addressincluded in the service interface.

The policy records the identifier of the service program. This isbecause identity verification needs to be performed only on someservices, instead of on all services in an application. For example,identity verification needs to be performed on YU'E BAO and the paymentservice in ALIPAY, but does not need to be performed on KOUBEI.Therefore, the policy set can be preconfigured based on characteristicinformation of a service program on which identity verification needs tobe performed, and/or characteristic information of a process on whichidentity verification needs to be performed.

The policy records the identifier of the service interface. This isbecause one service program can include more than one service interface,and identity verification needs to be performed only when a user needsto display a specific service interface. Therefore, a correspondingidentifier of the specific service interface is added to the policy.

In addition, the policy records the network address included in theservice interface. This is because only when the service interfacesdisplay a network address that links to a page including userinformation, identity verification needs to be performed on a userbefore some service interfaces are displayed. If the service interfacedoes not include the network address that links to the page includingthe user information, identity verification does not need to beperformed on the user.

Step 205: If there is no matched policy, it indicates that identityverification does not need to be performed for that service. Thus, thegesture verification program is ended, the startAPP method functionresumes, and after the startAPP method function is completed, a serviceinterface of a target service is displayed.

Step 206: If there is a matched policy, it indicates that identityverification needs to be performed on a service, and the gestureverification program displays an interface of gesture verification.

The gesture verification program implements identity verification bycalling a specific identity verification program or function.

Step 207: The gesture verification program determines, based on agesture pattern entered by a user, whether identity verificationsucceeds, and if identity verification succeeds, step 208 is performed;otherwise, step 209 is performed.

A standard gesture pattern is pre-stored in the gesture verificationprogram, and the gesture pattern entered by the user is compared withthe standard gesture pattern. If the gesture pattern entered by the useris the same as the standard gesture pattern, it is determined thatidentity verification succeeds; otherwise, identity verification fails.

Step 208: End the gesture verification program, resume the startAPPmethod function, and after the startAPP method function is completed,display the service interface of the target service.

Step 209: The gesture verification program resumes displaying theinterface of gesture verification, and quits the target service programuntil the number of gesture patterns entered reaches a preset threshold.

Each currently running service programs in an application that includesthe target service program can be forcibly quit when the target serviceprogram is quit, so as to enhance security of user information.

Implementation 3

FIG. 6 is a schematic structural diagram illustrating an identityverification apparatus, according to Implementation 3 of the presentinvention. As shown in FIG. 6, the apparatus includes a suspensionmodule 32 and a verification module 33.

The suspension module 32 is configured to suspend a target serviceprogram when it is detected that the target service program is running.

The verification module 33 is configured to call an identityverification program to perform identity verification, so as to obtainan identity verification result.

The identity verification program and the target service program areindependent of each other. The identity verification program isconfigured to perform identity verification by using at least one of agesture, a fingerprint, and a character password.

In the identity verification apparatus provided in this implementation,when it is detected that the target service program is running, thesuspension module 32 suspends the on-going target service program, andthe verification module 33 performs an identity verification step. Inaddition, the service program and the identity verification program areindependent of each other, that is, the coupling degree between theservice program and the identity verification program is relatively low.When identity verification needs to be performed on service programs indifferent service scenarios, one identity verification program can beused to complete an identity verification process through detection onthe plurality of service programs, thereby resolving a technical problemof inconvenient maintenance of the identity verification program.

Implementation 4

FIG. 7 is a schematic structural diagram illustrating another identityverification apparatus, according to Implementation 4 of the presentinvention. As shown in FIG. 7, on the basis of the identity verificationapparatus provided in FIG. 6, the identity verification apparatusfurther includes a detection module 30.

The detection module 30 is configured to detect a service program thatruns a target process.

The suspension module 32 is configured to suspend the target serviceprogram when it is detected that the target service program runs thetarget process.

The target process is used to process a service interface, and thetarget process includes calling of a target function. The targetfunction is used to display the service interface, and in specificimplementation, the target function can be a startAPP method function.

Further, the identity verification apparatus includes a restorationmodule 34, a quit module 35, a matching module 36, and a configurationmodule 37.

The restoration module 34 is configured to resume the target serviceprogram, if the identity verification result is that identityverification succeeds,

The quit module 35 is configured to quit the service program if theidentity verification result is that identity verification fails.

The matching module 36 is configured to match a preset policy set withcharacteristic information of the target service program, and/orcharacteristic information of a process run by the target serviceprogram.

Based on above step, the suspension module 32 is specifically configuredto determine that a matched policy exists in the policy set beforesuspending the on-going target service program.

The configuration module 37 is configured to configure the policy setbased on characteristic information of a service program on whichidentity verification needs to be performed, and/or characteristicinformation of a process on which identity verification needs to beperformed.

The characteristic information includes an identifier of the targetservice program, an identifier of the service interface processed by thetarget process, and/or a network address included in the serviceinterface processed by the target process.

A person of ordinary skill in the art can understand that all or some ofthe steps of the method implementations can be implemented by a programinstructing relevant hardware. The program can be stored in acomputer-readable storage medium. When the program runs, the steps ofthe method implementations are performed. The previous storage mediumincludes any medium that can store program code, such as a ROM, a RAM, amagnetic disk, or an optical disc.

Finally, it should be noted that the previous implementations are merelyintended for describing the technical solutions of the presentinvention, but not for limiting the present invention. Although thepresent invention is described in detail with reference to the previousimplementations, A person of ordinary skill in the art should understandthat modifications can still be made to the technical solutionsdescribed in the previous implementations or make equivalentreplacements to some or all technical features thereof, withoutdeparting from the scope of the technical solutions of theimplementations of the present invention.

FIG. 8 is a flowchart illustrating an example of a computer-implementedmethod 800 for executing an identity verification program duringcompletion of an identity verification of a user using a target serviceprogram, according to an implementation of the present disclosure. Forclarity of presentation, the description that follows generallydescribes method 800 in the context of the other figures in thisdescription. However, it will be understood that method 800 can beperformed, for example, by any system, environment, software, andhardware, or a combination of systems, environments, software, andhardware, as appropriate. In some implementations, various steps ofmethod 800 can be run in parallel, in combination, in loops, or in anyorder.

At 802, a detection is made that that a target service program is beingexecuted by a computing device. The target service program is one of aplurality of pre-defined service programs to be suspended to complete anidentity verification of a user using the target service program. Forexample, the target service program can be Program X running on a user'smobile device. From 802, method 800 proceeds to 804.

In some implementations, detecting that the target service program isexecuting can include determining if a particular target process isexecuting. For example, the detection module 30 can detect that ProgramX is executing a target process (for example, Target Process Y)associated with a service interface. The target service detection modulecan then determine that the target process (for example, Target ProcessY) is one of a plurality of pre-defined target processes to be used toidentify target service programs to be suspended. This determination canbe used as a proxy that the target service program (for example, ProgramX) is executing.

In some implementations, the target process can call a target functionused to display the service interface. For example, the target function(for example, Target Function Z) can be one of a plurality ofpre-defined target functions that are used to identify correspondingtarget service programs to be suspended.

At 804, execution of the target service program is suspended on thecomputing device. For example, the suspension module 32 can suspendexecution of the program executing on the user's mobile device. From804, method 800 proceeds to 806.

In some implementations, suspending execution of the target serviceprogram can be based on a set of pre-defined suspension policies. Forexample, the suspension module 32 can determine if a match existsbetween a pre-defined policy set and at least one of characteristicinformation of the target service program and characteristic informationof the target process run by the target service program. The suspensionmodule 32 can then suspend execution of the target service program whena determination is made that the match exists.

At 806, an identity verification program is executed on the computingdevice. The identity verification program can be configured to performthe identity verification of the user to obtain an identity verificationresult indicating whether an identity of the user is verified. Forexample, the identity verification of the user includes verifying atleast one of a gesture of the user, a fingerprint of the user, and apassword of the user. The identity verification program can typically beindependent from the target service program. For example, the identityverification program is not part of Program X. After 806, method 800stops.

In some implementations, method 800 can further include steps forresuming the target service program. For example, the verificationmodule 33 can determine that the identity verification result indicatesthat the identity of the user is verified. In response to determiningthat the identity verification result indicates that the identity of theuser is verified, the verification module 33 can resume the targetservice program.

In some implementations, method 800 can further include steps that occurwhen the user is not verified. For example, the verification module 33can determine that the identity verification result indicates that theidentity of the user is not verified. In response to determining thatthe identity verification result indicates that the identity of the useris not verified, the verification module 33 can terminate the targetservice program.

In some implementations, method 800 can further include pre-configuringthe policy set based on the characteristic information of the targetservice program and the characteristic information of the process. Forexample, the characteristic information includes one or more of anidentifier of the target service program, an identifier of the targetprocess, an identifier of the service interface, and a network addressof the service interface.

In some implementations, method 800 can further include determiningother service programs that are currently in use by the user. If otherprograms are currently in use by the user, then the suspension module 32can suspend the other service programs.

Techniques described in the present disclosure can reduce a degree ofcoupling between an identity verification program and service programsbeing used by users. For example, in conventional techniques, todetermine whether identity verification needs to be performed on theservice program, the service program itself needs to include interfaceprocessing logic, identity verification logic, and service processinglogic to verify a user's identity. In some implementations, the identityverification program is independent from a target service program. Inthis way, one identity verification program can be used to complete anidentity verification process through detection of the plurality ofservice programs. Having a central identity verification program canresolve maintenance issues associated with maintaining multiple identityverification program instances. Further, all service programs that arecurrently being operated by the user can be forced to quit.

Embodiments and the operations described in this specification can beimplemented in digital electronic circuitry, or in computer software,firmware, or hardware, including the structures disclosed in thisspecification or in combinations of one or more of them. The operationscan be implemented as operations performed by a data processingapparatus on data stored on one or more computer-readable storagedevices or received from other sources. A data processing apparatus,computer, or computing device may encompass apparatus, devices, andmachines for processing data, including by way of example a programmableprocessor, a computer, a system on a chip, or multiple ones, orcombinations, of the foregoing. The apparatus can include specialpurpose logic circuitry, for example, a central processing unit (CPU), afield programmable gate array (FPGA) or an application-specificintegrated circuit (ASIC). The apparatus can also include code thatcreates an execution environment for the computer program in question,for example, code that constitutes processor firmware, a protocol stack,a database management system, an operating system (for example anoperating system or a combination of operating systems), across-platform runtime environment, a virtual machine, or a combinationof one or more of them. The apparatus and execution environment canrealize various different computing model infrastructures, such as webservices, distributed computing and grid computing infrastructures.

A computer program (also known, for example, as a program, software,software application, software module, software unit, script, or code)can be written in any form of programming language, including compiledor interpreted languages, declarative or procedural languages, and itcan be deployed in any form, including as a stand-alone program or as amodule, component, subroutine, object, or other unit suitable for use ina computing environment. A program can be stored in a portion of a filethat holds other programs or data (for example, one or more scriptsstored in a markup language document), in a single file dedicated to theprogram in question, or in multiple coordinated files (for example,files that store one or more modules, sub-programs, or portions ofcode). A computer program can be executed on one computer or on multiplecomputers that are located at one site or distributed across multiplesites and interconnected by a communication network.

Processors for execution of a computer program include, by way ofexample, both general- and special-purpose microprocessors, and any oneor more processors of any kind of digital computer. Generally, aprocessor will receive instructions and data from a read-only memory ora random-access memory or both. The essential elements of a computer area processor for performing actions in accordance with instructions andone or more memory devices for storing instructions and data. Generally,a computer will also include, or be operatively coupled to receive datafrom or transfer data to, or both, one or more mass storage devices forstoring data. A computer can be embedded in another device, for example,a mobile device, a personal digital assistant (PDA), a game console, aGlobal Positioning System (GPS) receiver, or a portable storage device.Devices suitable for storing computer program instructions and datainclude non-volatile memory, media and memory devices, including, by wayof example, semiconductor memory devices, magnetic disks, andmagneto-optical disks. The processor and the memory can be supplementedby, or incorporated in, special-purpose logic circuitry.

Mobile devices can include handsets, user equipment (UE), mobiletelephones (for example, smartphones), tablets, wearable devices (forexample, smart watches and smart eyeglasses), implanted devices withinthe human body (for example, biosensors, cochlear implants), or othertypes of mobile devices. The mobile devices can communicate wirelessly(for example, using radio frequency (RF) signals) to variouscommunication networks (described below). The mobile devices can includesensors for determining characteristics of the mobile device's currentenvironment. The sensors can include cameras, microphones, proximitysensors, GPS sensors, motion sensors, accelerometers, ambient lightsensors, moisture sensors, gyroscopes, compasses, barometers,fingerprint sensors, facial recognition systems, RF sensors (forexample, Wi-Fi and cellular radios), thermal sensors, or other types ofsensors. For example, the cameras can include a forward- or rear-facingcamera with movable or fixed lenses, a flash, an image sensor, and animage processor. The camera can be a megapixel camera capable ofcapturing details for facial and/or iris recognition. The camera alongwith a data processor and authentication information stored in memory oraccessed remotely can form a facial recognition system. The facialrecognition system or one-or-more sensors, for example, microphones,motion sensors, accelerometers, GPS sensors, or RF sensors, can be usedfor user authentication.

To provide for interaction with a user, embodiments can be implementedon a computer having a display device and an input device, for example,a liquid crystal display (LCD) or organic light-emitting diode(OLED)/virtual-reality (VR)/augmented-reality (AR) display fordisplaying information to the user and a touchscreen, keyboard, and apointing device by which the user can provide input to the computer.Other kinds of devices can be used to provide for interaction with auser as well; for example, feedback provided to the user can be any formof sensory feedback, for example, visual feedback, auditory feedback, ortactile feedback; and input from the user can be received in any form,including acoustic, speech, or tactile input. In addition, a computercan interact with a user by sending documents to and receiving documentsfrom a device that is used by the user; for example, by sending webpages to a web browser on a user's client device in response to requestsreceived from the web browser.

Embodiments can be implemented using computing devices interconnected byany form or medium of wireline or wireless digital data communication(or combination thereof), for example, a communication network. Examplesof interconnected devices are a client and a server generally remotefrom each other that typically interact through a communication network.A client, for example, a mobile device, can carry out transactionsitself, with a server, or through a server, for example, performing buy,sell, pay, give, send, or loan transactions, or authorizing the same.Such transactions may be in real time such that an action and a responseare temporally proximate; for example an individual perceives the actionand the response occurring substantially simultaneously, the timedifference for a response following the individual's action is less than1 millisecond (ms) or less than 1 second (s), or the response is withoutintentional delay taking into account processing limitations of thesystem.

Examples of communication networks include a local area network (LAN), aradio access network (RAN), a metropolitan area network (MAN), and awide area network (WAN). The communication network can include all or aportion of the Internet, another communication network, or a combinationof communication networks. Information can be transmitted on thecommunication network according to various protocols and standards,including Long Term Evolution (LTE), 5G, IEEE 802, Internet Protocol(IP), or other protocols or combinations of protocols. The communicationnetwork can transmit voice, video, biometric, or authentication data, orother information between the connected computing devices.

Features described as separate implementations may be implemented, incombination, in a single implementation, while features described as asingle implementation may be implemented in multiple implementations,separately, or in any suitable sub-combination. Operations described andclaimed in a particular order should not be understood as requiring thatthe particular order, nor that all illustrated operations must beperformed (some operations can be optional). As appropriate,multitasking or parallel-processing (or a combination of multitaskingand parallel-processing) can be performed.

What is claimed is:
 1. A computer-implemented method, comprising:detecting that a target service program is being executed by a computingdevice, the target service program being one of a plurality ofpre-defined service programs to be suspended to complete an identityverification of a user using the target service program; suspendingexecution of the target service program on the computing device; andexecuting an identity verification program on the computing device, theidentity verification program configured to perform the identityverification of the user to obtain an identity verification resultindicating whether an identity of the user is verified, wherein theidentity verification program is independent from the target serviceprogram.
 2. The computer-implemented method of claim 1, whereindetecting that the target service program is executing comprises:detecting that the target service program is executing a target processassociated with a service interface; and determining that the targetprocess is one of a plurality of pre-defined target processes to be usedto identify target service programs to be suspended.
 3. Thecomputer-implemented method of claim 2, wherein the target process callsa target function used to display the service interface, and wherein thetarget function is one of a plurality of pre-defined target functions tobe used to identify corresponding target service programs to besuspended.
 4. The computer-implemented method of claim 1, furthercomprising: determining that the identity verification result indicatesthat the identity of the user is verified; and in response todetermining that the identity verification result indicates that theidentity of the user is verified, resuming the target service program.5. The computer-implemented method of claim 1, further comprising:determining that the identity verification result indicates that theidentity of the user is not verified; and in response to determiningthat the identity verification result indicates that the identity of theuser is not verified, terminating the target service program.
 6. Thecomputer-implemented method of claim 2, wherein suspending execution ofthe target service program comprises: determining if a match existsbetween a pre-defined policy set and at least one of characteristicinformation of the target service program and characteristic informationof the target process run by the target service program; and suspendingexecution of the target service program when a determination is madethat the match exists.
 7. The computer-implemented method of claim 6,further comprising pre-configuring the policy set based on thecharacteristic information of the target service program and thecharacteristic information of the process.
 8. The computer-implementedmethod of claim 7, wherein the characteristic information includes oneor more of an identifier of the target service program, an identifier ofthe target process, an identifier of the service interface, and anetwork address of the service interface.
 9. The computer-implementedmethod of claim 1, wherein the identity verification of the userincludes verifying at least one of a gesture of the user, a fingerprintof the user, and a password of the user.
 10. The computer-implementedmethod of claim 1, further comprising: determining other serviceprograms that are currently in use by the user; and suspending the otherservice programs.
 11. A non-transitory, computer-readable medium storingone or more instructions executable by a computer system to performoperations comprising: detecting that a target service program is beingexecuted by a computing device, the target service program being one ofa plurality of pre-defined service programs to be suspended to completean identity verification of a user using the target service program;suspending execution of the target service program on the computingdevice; and executing an identity verification program on the computingdevice, the identity verification program configured to perform theidentity verification of the user to obtain an identity verificationresult indicating whether an identity of the user is verified, whereinthe identity verification program is independent from the target serviceprogram.
 12. The non-transitory, computer-readable medium of claim 11,wherein detecting that the target service program is executingcomprises: detecting that the target service program is executing atarget process associated with a service interface; and determining thatthe target process is one of a plurality of pre-defined target processesto be used to identify target service programs to be suspended.
 13. Thenon-transitory, computer-readable medium of claim 12, wherein the targetprocess calls a target function used to display the service interface,and wherein the target function is one of a plurality of pre-definedtarget functions to be used to identify corresponding target serviceprograms to be suspended.
 14. The non-transitory, computer-readablemedium of claim 11, the operations further comprising: determining thatthe identity verification result indicates that the identity of the useris verified; and in response to determining that the identityverification result indicates that the identity of the user is verified,resuming the target service program.
 15. The non-transitory,computer-readable medium of claim 11, the operations further comprising:determining that the identity verification result indicates that theidentity of the user is not verified; and in response to determiningthat the identity verification result indicates that the identity of theuser is not verified, terminating the target service program.
 16. Acomputer-implemented system, comprising: one or more computers; and oneor more computer memory devices interoperably coupled with the one ormore computers and having tangible, non-transitory, machine-readablemedia storing one or more instructions that, when executed by the one ormore computers, perform one or more operations comprising: detectingthat a target service program is being executed by a computing device,the target service program being one of a plurality of pre-definedservice programs to be suspended to complete an identity verification ofa user using the target service program; suspending execution of thetarget service program on the computing device; and executing anidentity verification program on the computing device, the identityverification program configured to perform the identity verification ofthe user to obtain an identity verification result indicating whether anidentity of the user is verified, wherein the identity verificationprogram is independent from the target service program.
 17. Thecomputer-implemented system of claim 16, wherein detecting that thetarget service program is executing comprises: detecting that the targetservice program is executing a target process associated with a serviceinterface; and determining that the target process is one of a pluralityof pre-defined target processes to be used to identify target serviceprograms to be suspended.
 18. The computer-implemented system of claim17, wherein the target process calls a target function used to displaythe service interface, and wherein the target function is one of aplurality of pre-defined target functions to be used to identifycorresponding target service programs to be suspended.
 19. Thecomputer-implemented system of claim 16, the operations furthercomprising: determining that the identity verification result indicatesthat the identity of the user is verified; and in response todetermining that the identity verification result indicates that theidentity of the user is verified, resuming the target service program.20. The computer-implemented system of claim 16, the operations furthercomprising: determining that the identity verification result indicatesthat the identity of the user is not verified; and in response todetermining that the identity verification result indicates that theidentity of the user is not verified, terminating the target serviceprogram.